Rails 2.3.5 and safe HTML by default

We’re all well aware of the dangers of XSS in web applications. It’s a scary thought. And most Rails developers know about the h() method typically used in views, as a convenient way to escape your strings to prevent a scripting attack. But it’s not really that convenient, since you have to do it a gajillion times.

And Michael Koziarski agrees. So he did something about it!

That commit sets up the infrastructure for safe HTML by default. So rather than use the h() method when you want to escape tags (the 95% use case and the new default), you now use raw() when you don’t (the 5% use case). That’s convenience.

Like I said, the commit above just sets up the infrastructure. If you want this behavior in your Rails 2.3-stable application, you’ll need this plugin.

This is also the default behavior in Rails 3.0, so it’s cool to have a chance to get used to this now, since it more-or-less changes the way you think about security in your views/helpers.

Comments

Do you have something to say about this post?

Name	Site	Email
Comment
SPAM Protection Retype the image to the right	Hint: Are You Human?	Textile Formatting Tips

You type ...	To get ...
bold	<strong>bold</strong>
_italic_	<em>italic</em>
"link":http://google.com	<a href="http://google.com">link</a>
@inline code@	<code>inline code</code>
!http://img.source.com!	<img src="http://img.source.com" alt="" />
More ...	Click here for a complete Textile reference

Working... or

Ryan Heath | Site Management A Ruby on Rails production. »

This site is a Formed Function. Formed Function LLC | @formedfunction | Get in Touch

Rails 2.3.5 and safe HTML by default

Comments

Do you have something to say about this post?

Formatting Tips

Ruby Code

Other Code

Rails 2.3.5 and safe HTML by default

Potentially Related Posts...

Comments

Do you have something to say about this post?

Formatting Tips

Ruby Code

Other Code